There’s an interesting section in the Wikipedia entry for Acceptable Use Policies called “Is an AUP the best approach?” here.
Here’s an excerpt:
In a well respected essay on the topic of AUP documents, Dave Kinnaman, raises the issue as to whether writing and enforcing AUP documents is the right way to approach the governance as to how Internet connections are to be used at school, at work or in people’s own free time.
In this essay he raises the question with the perspective that the Internet is no different from anywhere we use 3rd party property. Do we write a “users guide” to go to a school, or do we write a user’s guide to shopping in the shopping mall? No, and why we do not is because we are educating young adults to behave in certain ways when at the shopping mall, or at school, or in the library.
Businesses should have a good AUP document that, according to visionGateway, a business implementing secure networks for businesses, should cover the business legally in any situation that the business might need to take to protect its interests. Also privacy and individual rights need to be addressed.
So the question is, do we teach our students at school and encourage our employees at work to maintain self-control, or do we explicitly outline acceptable use policies? Possibly both AUPs and self-control can be encouraged and when used together it could bring the best outcome for both organisations and individuals.
I think it’s an interesting question, but in the end your auditors are going to ask for your AUP. If you don’t have one they’ll probably tell you to get one.
I really like the easy-to-read-and-understand customer data security policy from ING Direct here.
I wish more companies wrote such simple and clear policies.
Here’s an exerpt:
We take every reasonable precaution to protect your information. When you submit information to us through our web site, your information is protected both on-line and off-line. All data transferred to/from the ING DIRECT internal network, from/to an external entity, is encrypted to industry standards (128 bit encryption). Please keep in mind that messages you send to us by Internet e-mail may not be secure. Do not send us any confidential or personal information by Internet e-mail. We maintain appropriate physical, electronic and procedural safeguards to ensure the security, integrity and privacy of your personal information within our company. Only those employees who require your personal information to perform a specific job are granted access to your personally identifiable financial information. Furthermore, all employees are kept up-to-date on our security and privacy practices. If you have any questions about the security of your information at ING DIRECT, you may contact us at 1-800-ING-DIRECT (1-800-464-3473), or at the following address: ING DIRECT, 1 South Orange Street, Wilmington, Delaware 19801.
If you’re planning on deploying Windows Vista, make sure you follow the Windows Vista Security Guide available from Microsoft Technet here.
This is a description of the hardening guide:
This guide focuses on how to help create and maintain a secure environment for desktop and laptop computers that run Windows Vista. The guide explains the different stages of how to secure two different environments, and what each security setting addresses for the desktop and laptop computers deployed in either one. The guide provides prescriptive information and security recommendations.
Here are the chapters:
Chapter 1: Implementing the Security Baseline
Chapter 2: Defend Against Malware
Chapter 3: Protect Sensitive Data
Chapter 4: Application Compatibility
Chapter 5: Specialized Security – Limited Functionality
Appendix A: Security Group Policy Settings
In particular, the Auditor General said that the security policy doesn’t include a disaster recovery plan.
Even if you work in a company you can expect that auditors are going to look for a disaster recovery policy and disaster recovery plan in your corporate security policy.
The educause.edu site has a chapter from the book Computer and Network Security in Higher Education here.
It does a good job of describing how university security policies should be written.
Here’s an excerpt:
If the goal of institutional policies is to direct individual behavior and guide institutional decisions, then the effectiveness of formal policy statements will depend on their readability and usefulness. Many colleges and universities suffer from the lack of a common and consistent approach or format for writing organizational policies. Policy development is often confused and sometimes derailed because of the misunderstanding and misuse of terms with important meanings to a professional policy administrator, legal counsel, and others.
You can download an archive copy of the chapter here.
The IT Security group at the California Department of Techonology Services (DTS) have a security incident response presentation here that describes their incident response plan.
This presentation includes a couple of scenarios where they demonstrate how to implement the Security Incident Lifecycle:
Joel Weise and Charles R. Martin from Sun wrote an excellent Data Security Policy guide which you can download here.
This is a great reference to follow when developing any data security policy.
Here’s an excerpt:
The purpose of this document is to define the Data Security Policy. Data is considered a primary asset and as such must be protected in a manner commensurate to its value. Data security is necessary in today’s environment because data processing represents a concentration of valuable assets in the form of information, equipment, and personnel. Dependence on information systems creates a unique vulnerability for our organization.
Security and privacy must focus on controlling unauthorized access to data. Security compromises or privacy violations could jeopardize our ability to provide service; lose revenue through fraud or destruction of proprietary or confidential data; violate business contracts, trade secrets, and customer privacy; or reduce credibility and reputation with its customers, shareholders and partners. This policy therefore discusses:
Data content
Data classification
Data ownership
Data security
The main objective of this policy is to ensure that data is protected in all of its forms, on all media, during all phases of its life cycle, from unauthorized or inappropriate access, use, modification, disclosure, or destruction. This policy applies to all of our and all customer data assets that exist, in any of our processing environments. The processing environment is considered to be, collectively, all applications, systems, and networks that we own or operate or that are operated by our agents.
FREE Acceptable Use Policy Template! Fill out this form and I'll send it to you immediately!
(I hate SPAM as much as you do. I will never sell or give your email address to anyone.)
In the latest of many recent data security breaches in Britain, a computer was sold on eBay containing personal details of a million bank customers. Experts blame a surfeit of data. [Link]
BATON ROUGE -- A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet last week, sending waves of concern through the real estate community statewide. [Link]
Security experts are warning of a new series of Linux attacks that use stolen Secure Shell (SSH) keys. The SSH protocol is used as a system for securely communicating between networked machines. The system was first designed as a replacement for the less-secure Telnet protocol. [Link]
Shaun Nichols in San Francisco, vnunet.com , Thursday 28 August 2008 at 01:29:00 Linux keys being harvested by hackers Security experts are warning of a new series of Linux attacks that use stolen Secure Shell (SSH) keys. The SSH protocol is used as a system for securely communicating between... [Link]
New controls on computerised data storage have been introduced at a Scottish health authority after equipment containing patients' sensitive details were lost. [Link]
LONDON - A computer containing banking security details of more than one million people has been sold on eBay, bank officials said yesterday - the latest in a series of losses of personal data in Britain. [Link]
MANHATTAN — Eighty-six Kansas State University students are receiving letters from the Division of Continuing Education advising them that papers with their names and Social Security numbers on them were stolen from a parked vehicle last week. [Link]
Researchers demonstrate a serious eavesdropping risk in the internet's fundamental infrastructure, putting proof to a theory that's long been whispered about in national security circles. [Link]
For the last two years New Zealanders have consistently ranked identity theft and financial fraud as the top two security issues that concern them, according to trend analysis of Unisys Security Index™ findings, released to coincide with Privacy Awareness Week. [Link]
A computer containing banking security details of more than 1 million people has been sold on eBay, bank officials said Tuesday -- the latest in a series of losses of personal data in the U.K. [Link]
LONDON - A computer containing banking security details of more than one million people has been sold on eBay for $64, bank officials said Tuesday - the latest in a series of losses of personal data in Britain. [Link]
LONDON (AP) -- A computer containing banking security details of more than 1 million people has been sold on eBay for $64, bank officials said Tuesday -- the latest in a series of losses of personal data in the UK. [Link]
SAN DIEGO, Aug. 26 (UPI) -- U.S. businesses, universities and government agencies have reported more thefts of personal data so far this year than in all of 2007, a report says. [Link]
LONDON - A computer containing banking security details of more than one million people has been sold on eBay for $64, bank officials said Tuesday - the latest in a series of losses of personal data in Britain. [Link]
LONDON — A computer containing banking security details of more than 1 million people has been sold on eBay for $64, bank officials said Tuesday. [Link]
A computer containing banking security details of more than 1 million people has been sold on eBay for $64, bank officials said Tuesday -- the latest in a series of losses of personal data in the U.K. [Link]
Canonical has warned users of all machines running recent versions of Ubuntu to patch their systems and shut an open door for hackers. Canonical is the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel that could have left the door open for hackers to... [Link]
An employee at Home Office contractor PA Consulting has been suspended after the loss of a memory stick holding the unencrypted details of every prisoner in England and Wales. A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England... [Link]
The security team for Google's nascent open-source mobile platform, Android, has attempted to raise its profile with the security community The security team behind Google's mobile platform, Android, has tried to raise its profile among security researchers by appealing for their vigilance in monitoring the platform. ... [Link]
The Linux project lead has said new contributors should 'start small' to avoid becoming frustrated with the Linux kernel development process Linux project lead Linus Torvalds has said it is not easy to become a major contributor to the Linux kernel. In an email interview with ZDNet.co.uk... [Link]
A researcher claims to have found multiple flaws in mobile Java and Nokia Series 40 handsets, and wants Sun or Nokia to pay him almost $30,000 for the details. A Polish security researcher has claimed to have found multiple flaws in mobile Java, but is demanding 20,000 ($29,790) in... [Link]
As data governance becomes a key benchmark of a company's responsibility to enhance and protect data, here are six simple steps that start to develop a program based on individual needs. In the past few years, dozens of high-profile incidents involving data mismanagement have gained international attention. Caught off... [Link]
Junk emailers are using Google Sites to create web pages that can help spam get around corporate filters, according to MessageLabs Spammers have added Google Sites to the arsenal of online tools used to get around junk-email filters, according to a study published on Tuesday by messaging... [Link]
The Linux creator has some harsh words for creators of the OpenBSD operating system, as part of a wider critique of what he sees as self-centered behavior in the IT security industry Linux creator Linus Thorvalds has labeled makers of the OpenBSD operating system a "bunch of masturbating monkeys",... [Link]
Secure Computing's Ken Rutsky tells how to integrate Software-as-a-Service SaaS, virtualization and appliance security offerings to let users get exactly what they want. In the past, CIOs deployed their own self-contained application architectures on their own servers and storage systems. This old model is giving way to a hybrid... [Link]
Secure Computing's Ken Rutsky tells how to integrate Software-as-a-Service SaaS, virtualization and appliance security offerings to let users get exactly what they want. by Ken Rutsky, Secure Computing [Link]
The iPhone Dev Team claims to have jailbroken the iPhone 3G, while a former member of the team claims the device has not been unlocked. A group of developers has claimed to have cracked the iPhone 3G. Apple's latest version of the iPhone was released to... [Link]
UK enterprise adoption of the iPhone 3G may be hampered by security issues and Apple's exclusive partnership with O2, among other factors. For years, Apple has paid little attention to products for enterprise users. Now it's pitching its new iPhone 3G as: "The best phone for business. Ever". But... [Link]
Names, addresses, and Social Security numbers of pre-2006 staffers were taken from offices of Colt Express Outsourcing Services. Google has confirmed that personal data of U.S. employees hired prior to 2006 have been stolen in a recent burglary. Records kept at Colt Express Outsourcing Services, an external... [Link]
The Internet Corporation for Assigned Names and Numbers has accepted a proposal allowing companies, cities and others to use almost any suffix they want for a web address. At its meeting in Paris, the Internet Corporation for Assigned Names and Numbers ICANN, a not-for-profit organization that... [Link]
What is needed to spur unified communications deployment and deliver on the vision of spontaneous collaboration is simple and inexpensive tools that can integrate the existing IT, says Dialcom US's Bob Johnson. Commentary--Normally, when Cisco, IBM and Microsoft move into a market, their presence does... [Link]
One in three information technology professionals abuses administrative passwords to access confidential data, according to a survey. FRANKFURT--One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues' salary details, personal emails or board-meeting minutes, according to a survey. U.S.... [Link]
Cybercriminals are using bots to launch attacks that are more distributed, more profitable and potentially more damaging than ever before says 8e6 Technologies CEO George Shih. And here's what to do about them. Commentary--Theres some good news these days on the IT security front: Cybercriminals... [Link]
Laura Bennett, senior engineering manager at IBM's software development community, discusses how the group helps turn research concepts from the labs into practical products. Semantic Web, rapid application development, data visualization, and health care applications are just some of the emerging software types being investigated by IBM's AlphaWorks... [Link]
The flexibility, efficiency, and reduced cost of ownership virtualization provides makes it extremely compelling to large and small organizations alike, says CiRBA's Andrew Hillier. Commentary--The flexibility, efficiency, and reduced cost of ownership virtualization provides makes it extremely compelling to large and small organizations alike. Increasingly IT organizations are contemplating... [Link]
They envision a world with Linux running on the smallest embedded devices to the largest supercomputer clusters, and all possible devices in between. It's only a matter of time before even desktop Linux becomes the mass market. [The opinions expressed here are mine alone, and not those... [Link]
